An apparatus includes an authentication arrangement for a communication connection, using a communication protocol, between two data processing devices of the apparatus. The data processing devices each have an interface unit for the communication connection and a computation unit. The interface units each have an encryption/decryption device, where the encryption/decryption device is at least partially produced by hardware for encrypting at least some of the user data to be transmitted via the communication connection as part of the authentication arrangement. The encryption/decryption device can be applied in a communication layer of the communication protocol to the user data prepared for the physical user data transmission or to the physically received user data. Each data processing device has a security unit, implemented as dedicated hardware that the computation unit cannot access and/or in a manner logically isolated from the computation unit. The security unit produces a trusted execution environment, of the authentication arrangement with a hardware-encoded key information, on the basis of which the user data are encrypted by the encryption/decryption device.
Legal claims defining the scope of protection, as filed with the USPTO.
1. An apparatus with an authentication arrangement for a communication connection, comprising: at least two data processing devices, configured to communicate with each other using a communication protocol, wherein each data processing device comprises: a computation unit; an interface unit comprising an encryption/decryption device, wherein the encryption/decryption device: is at least partially produced by hardware for encrypting user data to be transmitted via the communication connection as part of the authentication arrangement; and applies encryption or decryption, in a communication layer of the communication protocol, to the user data prepared for physical user data transmission, or to physically received user data, wherein the communication protocol is packet-based; and only one portion of the user data packets to be transmitted is encrypted, wherein an encryption state in an information unit of a header of the user data packets is displayed; and a security unit, wherein the security unit: is implemented as dedicated hardware that the computation unit cannot access, and/or logically isolated from the computation unit, and is configured to produce a trusted execution environment of the authentication arrangement with a hardware-encoded key information, wherein the user data are encrypted, by the encryption/decryption device, on a basis of the hardware-encoded key information.
2. The apparatus according to claim 1 , wherein the communication layer is a transport layer and/or a transaction layer.
3. The apparatus according to claim 1 , wherein the communication protocol is PCI Express.
4. The apparatus according to claim 1 , wherein the encrypted portion of user data packet is dynamically or user adjustable.
5. The apparatus according to claim 1 , wherein the security unit comprises at least one protection mechanism against a reading or reading out of the hardware-encoded key information.
6. The apparatus according to claim 1 , wherein the authentication arrangement is designed for negotiating a session key to be used for a communication session on the basis of the hardware-encoded key information.
7. The apparatus according to claim 1 , wherein the hardware-encoded key information is a symmetrical key information, which comprises an identical base key for each data processing device.
8. The apparatus according to claim 7 , wherein the apparatus is configured to provide a plurality of base keys to derive different subkeys.
9. The apparatus according to claim 7 , wherein the security unit is designed to derive different subkeys from the identical base key.
10. The apparatus according to claim 7 , wherein the apparatus is configured to select a key using a property of the apparatus and/or a usage parameter of the apparatus.
11. The apparatus according to claim 1 , wherein the security unit is designed as a one-chip system that includes the computation unit and/or the interface unit.
12. The apparatus according to claim 11 , wherein the security unit is designed as a trusted zone of the one-chip system.
13. The apparatus according to claim 11 , wherein the security unit is designed as an embedded security element of the one-chip system.
14. The apparatus according to claim 11 , wherein the security unit is designed as a trusted platform module.
15. The apparatus according to claim 1 , wherein the apparatus is a motor vehicle.
16. The apparatus according to claim 15 , wherein at least one of the at least two data processing devices is a control device.
17. A method for implicitly authenticating a communication connection between at least two data processing devices of an apparatus, the method comprising: implementing a security unit as dedicated hardware that a computation unit cannot access; producing, by the security unit, a hardware-encoded key information for a trusted execution environment for the implicitly authenticating of the communication connection; producing, at least partially by hardware, an encryption/decryption device in an interface unit for the communication connection; encrypting, by the encryption/decryption device, user data on a basis of the hardware-encoded key information; applying, in a communication layer of a communication protocol, encryption or decryption to user data prepared for physical user data transmission, or to physically received user data, wherein: the communication protocol is packet-based; and only one portion of user data packets to be transmitted is encrypted, wherein an encryption state in an information unit of a header of the user data packets is displayed; and establishing, by the communication protocol, the implicitly authenticated communication connection between the at least two data processing devices of the apparatus.
18. The method according to claim 17 , wherein the implementing of the security unit comprises logically isolating the security unit from the computation unit.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
July 5, 2018
March 16, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.